From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ming Qian <ming.qian@nxp.com>
Cc: mchehab@kernel.org, shawnguo@kernel.org, robh+dt@kernel.org,
s.hauer@pengutronix.de, hverkuil-cisco@xs4all.nl,
kernel@pengutronix.de, festevam@gmail.com, linux-imx@nxp.com,
aisheng.dong@nxp.com, linux-media@vger.kernel.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v18 04/15] media: amphion: add vpu core driver
Date: Wed, 9 Mar 2022 15:06:54 +0300 [thread overview]
Message-ID: <20220309120654.GC2592@kili> (raw)
In-Reply-To: <4d2fb002750d21804dddd89de3a5e6f3462123e6.1645670589.git.ming.qian@nxp.com>
On Thu, Feb 24, 2022 at 11:10:02AM +0800, Ming Qian wrote:
> +struct vpu_inst *vpu_core_find_instance(struct vpu_core *core, u32 index)
> +{
> + struct vpu_inst *inst = NULL;
> + struct vpu_inst *tmp;
> +
> + mutex_lock(&core->lock);
> + if (!test_bit(index, &core->instance_mask))
The "index" value comes from vpu_handle_msg() so I think it's untrusted
and this test_bit() can read way out of bounds. It needs to be:
if (index < BITS_PER_LONG && !test_bit(index, &core->instance_mask))
> + goto exit;
> + list_for_each_entry(tmp, &core->instances, list) {
> + if (tmp->id == index) {
> + inst = vpu_inst_get(tmp);
> + break;
> + }
> + }
> +exit:
> + mutex_unlock(&core->lock);
> +
> + return inst;
> +}
[ snip ]
> +static int vpu_rpc_send_cmd_buf(struct vpu_shared_addr *shared, struct vpu_rpc_event *cmd)
> +{
> + struct vpu_rpc_buffer_desc *desc;
> + u32 space = 0;
> + u32 *data;
> + u32 wptr;
> + u32 i;
> +
> + desc = shared->cmd_desc;
> + space = vpu_rpc_check_buffer_space(desc, true);
> + if (space < (((cmd->hdr.num + 1) << 2) + 16))
In the current code the math here cannot overflow. But it seems like
we could easly add a check:
if (cmd->hdr.num > 0xff)
return -EINVAL;
> + return -EINVAL;
> + wptr = desc->wptr;
> + data = (u32 *)(shared->cmd_mem_vir + desc->wptr - desc->start);
> + *data = 0;
> + *data |= ((cmd->hdr.index & 0xff) << 24);
> + *data |= ((cmd->hdr.num & 0xff) << 16);
> + *data |= (cmd->hdr.id & 0x3fff);
> + wptr += 4;
> + data++;
> + if (wptr >= desc->end) {
> + wptr = desc->start;
> + data = shared->cmd_mem_vir;
> + }
> +
> + for (i = 0; i < cmd->hdr.num; i++) {
> + *data = cmd->data[i];
> + wptr += 4;
> + data++;
> + if (wptr >= desc->end) {
> + wptr = desc->start;
> + data = shared->cmd_mem_vir;
> + }
> + }
> +
> + /*update wptr after data is written*/
> + mb();
> + desc->wptr = wptr;
> +
> + return 0;
> +}
> +
> +static bool vpu_rpc_check_msg(struct vpu_shared_addr *shared)
> +{
> + struct vpu_rpc_buffer_desc *desc;
> + u32 space = 0;
> + u32 msgword;
> + u32 msgnum;
> +
> + desc = shared->msg_desc;
> + space = vpu_rpc_check_buffer_space(desc, 0);
> + space = (space >> 2);
> +
> + if (space) {
It would be nicer if this condition were:
if (space >= sizeof(u32)) {
> + msgword = *(u32 *)(shared->msg_mem_vir + desc->rptr - desc->start);
> + msgnum = (msgword & 0xff0000) >> 16;
> + if (msgnum <= space)
> + return true;
> + }
> +
> + return false;
> +}
> +
regards,
dan carpenter
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ming Qian <ming.qian@nxp.com>
Cc: mchehab@kernel.org, shawnguo@kernel.org, robh+dt@kernel.org,
s.hauer@pengutronix.de, hverkuil-cisco@xs4all.nl,
kernel@pengutronix.de, festevam@gmail.com, linux-imx@nxp.com,
aisheng.dong@nxp.com, linux-media@vger.kernel.org,
linux-kernel@vger.kernel.org, devicetree@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v18 04/15] media: amphion: add vpu core driver
Date: Wed, 9 Mar 2022 15:06:54 +0300 [thread overview]
Message-ID: <20220309120654.GC2592@kili> (raw)
In-Reply-To: <4d2fb002750d21804dddd89de3a5e6f3462123e6.1645670589.git.ming.qian@nxp.com>
On Thu, Feb 24, 2022 at 11:10:02AM +0800, Ming Qian wrote:
> +struct vpu_inst *vpu_core_find_instance(struct vpu_core *core, u32 index)
> +{
> + struct vpu_inst *inst = NULL;
> + struct vpu_inst *tmp;
> +
> + mutex_lock(&core->lock);
> + if (!test_bit(index, &core->instance_mask))
The "index" value comes from vpu_handle_msg() so I think it's untrusted
and this test_bit() can read way out of bounds. It needs to be:
if (index < BITS_PER_LONG && !test_bit(index, &core->instance_mask))
> + goto exit;
> + list_for_each_entry(tmp, &core->instances, list) {
> + if (tmp->id == index) {
> + inst = vpu_inst_get(tmp);
> + break;
> + }
> + }
> +exit:
> + mutex_unlock(&core->lock);
> +
> + return inst;
> +}
[ snip ]
> +static int vpu_rpc_send_cmd_buf(struct vpu_shared_addr *shared, struct vpu_rpc_event *cmd)
> +{
> + struct vpu_rpc_buffer_desc *desc;
> + u32 space = 0;
> + u32 *data;
> + u32 wptr;
> + u32 i;
> +
> + desc = shared->cmd_desc;
> + space = vpu_rpc_check_buffer_space(desc, true);
> + if (space < (((cmd->hdr.num + 1) << 2) + 16))
In the current code the math here cannot overflow. But it seems like
we could easly add a check:
if (cmd->hdr.num > 0xff)
return -EINVAL;
> + return -EINVAL;
> + wptr = desc->wptr;
> + data = (u32 *)(shared->cmd_mem_vir + desc->wptr - desc->start);
> + *data = 0;
> + *data |= ((cmd->hdr.index & 0xff) << 24);
> + *data |= ((cmd->hdr.num & 0xff) << 16);
> + *data |= (cmd->hdr.id & 0x3fff);
> + wptr += 4;
> + data++;
> + if (wptr >= desc->end) {
> + wptr = desc->start;
> + data = shared->cmd_mem_vir;
> + }
> +
> + for (i = 0; i < cmd->hdr.num; i++) {
> + *data = cmd->data[i];
> + wptr += 4;
> + data++;
> + if (wptr >= desc->end) {
> + wptr = desc->start;
> + data = shared->cmd_mem_vir;
> + }
> + }
> +
> + /*update wptr after data is written*/
> + mb();
> + desc->wptr = wptr;
> +
> + return 0;
> +}
> +
> +static bool vpu_rpc_check_msg(struct vpu_shared_addr *shared)
> +{
> + struct vpu_rpc_buffer_desc *desc;
> + u32 space = 0;
> + u32 msgword;
> + u32 msgnum;
> +
> + desc = shared->msg_desc;
> + space = vpu_rpc_check_buffer_space(desc, 0);
> + space = (space >> 2);
> +
> + if (space) {
It would be nicer if this condition were:
if (space >= sizeof(u32)) {
> + msgword = *(u32 *)(shared->msg_mem_vir + desc->rptr - desc->start);
> + msgnum = (msgword & 0xff0000) >> 16;
> + if (msgnum <= space)
> + return true;
> + }
> +
> + return false;
> +}
> +
regards,
dan carpenter
next prev parent reply other threads:[~2022-03-09 12:09 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-24 3:09 [PATCH v18 00/15] amphion video decoder/encoder driver Ming Qian
2022-02-24 3:09 ` Ming Qian
2022-02-24 3:09 ` [PATCH v18 01/15] dt-bindings: media: amphion: add amphion video codec bindings Ming Qian
2022-02-24 3:09 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 02/15] media: add nv12m_8l128 and nv12m_10be_8l128 video format Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 03/15] media: amphion: add amphion vpu device driver Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 04/15] media: amphion: add vpu core driver Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-03-09 12:06 ` Dan Carpenter [this message]
2022-03-09 12:06 ` Dan Carpenter
2022-02-24 3:10 ` [PATCH v18 05/15] media: amphion: implement vpu core communication based on mailbox Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-03-09 12:23 ` Dan Carpenter
2022-03-09 12:23 ` Dan Carpenter
2022-02-24 3:10 ` [PATCH v18 06/15] media: amphion: add vpu v4l2 m2m support Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-03-09 11:34 ` Dan Carpenter
2022-03-09 11:34 ` Dan Carpenter
2022-03-10 1:55 ` [EXT] " Ming Qian
2022-03-10 1:55 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 07/15] media: amphion: add v4l2 m2m vpu encoder stateful driver Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 08/15] media: amphion: add v4l2 m2m vpu decoder " Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 09/15] media: amphion: implement windsor encoder rpc interface Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 10/15] media: amphion: implement malone decoder " Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-03-09 11:44 ` Dan Carpenter
2022-03-09 11:44 ` Dan Carpenter
2022-02-24 3:10 ` [PATCH v18 11/15] arm64: dts: freescale: imx8q: add imx vpu codec entries Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 12/15] firmware: imx: scu-pd: imx8q: add vpu mu resources Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 13/15] MAINTAINERS: add AMPHION VPU CODEC V4L2 driver entry Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 14/15] arm64: defconfig: amphion: enable vpu driver Ming Qian
2022-02-24 3:10 ` Ming Qian
2022-02-24 3:10 ` [PATCH v18 15/15] media: amphion: add amphion vpu entry in Kconfig and Makefile Ming Qian
2022-02-24 3:10 ` Ming Qian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220309120654.GC2592@kili \
--to=dan.carpenter@oracle.com \
--cc=aisheng.dong@nxp.com \
--cc=devicetree@vger.kernel.org \
--cc=festevam@gmail.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=kernel@pengutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-imx@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=ming.qian@nxp.com \
--cc=robh+dt@kernel.org \
--cc=s.hauer@pengutronix.de \
--cc=shawnguo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.